After initial extensive research in 2015, Insecure Deserialization has been a very hot topic in the Java-world. More and more deserialization vulnerabilities are found again and again in various software with new techniques of exploitation showing up regularly. Eventually, “Insecure Deserialization” made it to the OWASP Top 10 – 2017 list.

In this tech segment Aleksei talks about the technical reasons behind the existence of deserialization flaws and how to understand if a (de)serialization library is potentially vulnerable. Alexei, also shows how to detect these vulnerabilities as well as giving some examples of exploitation.